MashSSL Alliance Formed to Promote Open Standard for Trust Establishment Between Web Applications

Industry Leaders Including Comodo, DigiCert, Entrust and VeriSign Join Forces to Create Open Standard Based on MashSSL Technology Developed by Application Authentication Pioneer SafeMashups

MOUNTAIN VIEW, CA--(Marketwire - November 12, 2009) - A consortium of leading technology
companies today announced the creation of the MashSSL Alliance, an
organization dedicated to evangelizing the use of the MashSSL technology
and specification. MashSSL is an innovative way to use the proven and
trusted SSL protocol and trust infrastructure to solve the tricky and
serious problem of trust establishment between web applications
communicating through an end user at a browser. This is a hard problem as
the web applications have to assume that the user in the middle could be a
malicious hacker or a legitimate user with a malware infected browser.

"Having been both a vendor and security practitioner, what makes MashSSL
such an innovative and elegant solution is the fact that it sits on top of
SSL at the application layer and does not disrupt the existing ecosystem --
no new crypto protocols to analyze, no changes to the browser and no new
types of credentials," said Lynn Terwoerds, Former Head of Security
Architecture & Standards, Barclays GRCB, former Senior Security Strategist,
Microsoft, and member of the Cloud Security Alliance. "The ability to
significantly reduce the risk involved with online collaboration and
transactions opens up a whole new realm of opportunities to both product
developers and to security practitioners who need to live in a highly
virtualized and cloud based world, where applications and data no longer
reside in a single location."

"End users' Web experiences, be it in healthcare or any other vertical, are
increasingly an aggregation of data and processing from cooperating Web
applications that communicate wholly or partially through the user's
browser," said Sue Merk, vice president of business development and product
management at OneHealthPort, a coalition of health plans, physicians and
hospitals that joined together to build a trusted community where business
and clinical information could be shared securely. "Unfortunately, a
malicious man-in-the-middle attack or a user infected with
man-in-the-browser malware can easily subvert such communications. An open
standard to solve this universal problem once, and not in a piece meal ad
hoc fashion, has been a long time coming. That it is based on the trusted
and familiar SSL certificate infrastructure is a bonus."

MashSSL, which was first developed by application authentication pioneer
SafeMashups, has now become an open specification with an open source
reference implementation, and is in the process of being standardized.

"Using different proprietary security methods and a multitude of
quasi-trusted credentials to solve this fundamental problem is clearly
inefficient and will lead to administrative errors which underlie many
vulnerabilities," said Siddharth Bajaj, Principal in the Innovation Group
at VeriSign and steering committee chair of both the MashSSL Alliance and
W3C MashSSL XG.
"MashSSL repurposes SSL to create a secure application layer pipe through
which open protocols like OAuth, OpenID, OpenAJAX, etc., and proprietary
applications like payment provider interfaces can flow in a more secure
fashion while leveraging the already existing trust and credential
infrastructure."

While MashSSL was originally developed for use with newer mashup
technologies, it became rapidly apparent that the protocol can be used in
any situation where two Web applications need to communicate through a
user's browser, where the user may be malicious or the browser infected
with malware. Consequently, the potential field of use for MashSSL is very
broad, including potentially underlying identity federation protocols,
payment button interfaces, etc.

The initial MashSSL specification and open source reference implementation
have been made generally available at www.mashssl.org.